[isapros] Re: SMTP Filter

From: Jim Harrison <Jim@xxxxxxxxxxxx>
To: "isapros@xxxxxxxxxxxxx" <isapros@xxxxxxxxxxxxx>
Date: Wed, 27 Feb 2008 06:49:40 -0800
There's a problem with trying to simulate that; telnet sends <CRLF> when you 
hit <enter>.
Most folks don't have the toolz you do <g>.

-----Original Message-----
From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-bounce@xxxxxxxxxxxxx] On 
Behalf Of Thor (Hammer of God)
Sent: Wednesday, February 27, 2008 6:18 AM
To: isapros@xxxxxxxxxxxxx
Subject: [isapros] Re: SMTP Filter

You've directly connected to the SMTP server via ISA and manually
entered the character sequence to verify this?  With the SMTP filter
applied, I don't get this error.  Further, like I said last time, you
don't get SMTP error messages when the filter trigger terminates the
connection - it just terminates.

But I'm assuming you've disabled the SMTP filter and everything works?

t

> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: Wednesday, February 27, 2008 3:08 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SMTP Filter
>
> Feedback:
>
> "Absolutely.  And that's why "<CR>.<CR>" should just be passed
straight
> through like any other random sequence of characters, and not cause
the
> session to abort with a  "Syntax error" ..."
>
> Let me know if this is pushing the boundaries of the mailing list and
I
> will get them to log a PSS call. If not, keep posting!
>
> Jason Jones | Security | Silversands Limited | Desk: +44 (0)1202
360489
> | Mobile: +44 (0)7971 500312 | Email/MSN:
jason.jones@xxxxxxxxxxxxxxxxx
>
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: 26 February 2008 22:55
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SMTP Filter
>
> Tell them I said to read RFC 2821:
> http://rfc.net/rfc2821.html#s4.1.1.4
> <quote>
> The mail data is terminated by a line containing only a period, that
>    is, the character sequence "<CRLF>.<CRLF>"
> </quote>
>
> They didn't say "something almost, but not quite totally unlike
> <CRLF>.<CRLF>".
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: Tuesday, February 26, 2008 1:02 PM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SMTP Filter
>
> Guys,
>
> Here's more background below. From what I can tell the only way to
> prevent this is to disable the SMTP filter for the publishing rule
that
> provide access from the Unix mail relays to Exchange. I was hoping for
> something a little more granular but can't see how to do this in the
> GUI.
>
> Cheers
>
> JJ
>
> -------
> If Unix forwards a message to ISA / Exchange terminated with  "CR CR .
> CR CR"   the ISA smtp filter drops the connection and returns a 421
> 5.5.2  error, (rather than dropping/rejecting the message) this causes
> the mail queues on the Unix servers to back-up.
>
> Is it possible to change the status code ISA Returns to a more
> appropriate code, or otherwise ignore this check?
>
> The email below explains in  a bit more detail.
>
> Okay, so it's ISA not Exchange, but ...
>
> We are getting messages stuck in our queues on their way into
Exchange.
> The ISA server replies with
>
> 421 5.5.2 Syntax error (invalid DATA termination)
>
> and the messages are held with
>
> xxx@xxxxxx Deferred: 421 5.5.2 Syntax error (invalid DATA termination)
>
> This is a problem, since it is interpreted as a temporary server
> failure and a request to try again later, effectively blocking all
> further mail to that server on that queue run, and leaving a backlog
of
> messages in the queue.
>
> Now the Microsoft site says that means
>
> "SMTP filter encountered an invalid DATA terminator Some character
> combinations in DATA may pose a security risk. The connection has been
> terminated.
> SMTP filter event
> Invalid DATA termination"
>
> And it appears the cause is the occurrence of
>
> CR CR . CR CR
>
> in the message, accepted and passed on by our sendmail-based relays .
> It appears that ISA will not accept this, and returns a 421 response,
> meaning try again later.  This seems wrong, since it is not a
temporary
> failure, and the message will never be delivered. Surely the correct
> thing to do is either accept the message, or reject it with a
permanent
> failure so that the sender can be notified.
>
> Is there any way to disable or modify this behaviour within ISA ?
>
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison
> Sent: 26 February 2008 17:58
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] Re: SMTP Filter
>
> What - you want to add the \r\r.\r\r in the filter definitions?
> Is this sequence sent with or without actual mail content?
>
> -----Original Message-----
> From: isapros-bounce@xxxxxxxxxxxxx [mailto:isapros-
> bounce@xxxxxxxxxxxxx] On Behalf Of Jason Jones
> Sent: Tuesday, February 26, 2008 9:37 AM
> To: isapros@xxxxxxxxxxxxx
> Subject: [isapros] SMTP Filter
>
> Hi,
>
> Is there any way to modify the ISA SMTP filter behaviour outside of
the
> GUI?
>
> We have a customer who is getting a weird error from the SMTP filter
> when the *data* portion contains "CR CR . CR CR". The problem  is that
> instead of rejecting the connection, as I would have expected, the
> filter returns a 421 error, which essentially means "syntax error
> (invalid data termination), try again later" causing a backlog on the
> upstream SMTP server.
>
> I am guessing this is a log with PSS job to determine if the behaviour
> is a bug, or by design...just wondered in anyone had any similar
> experiences or thoughts?
>
> Cheers
>
> JJ
>
>
>
>   ________________________________
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual to whom it is addressed.
> If you have received this email in error, or if you believe this email
> is unsolicited and wish to be removed from any future mailings, please
> contact our Support Desk immediately on 01202 360360 or email
> helpdesk@xxxxxxxxxxxxxxxxx
>
> If this email contains a quotation then unless otherwise stated it is
> valid for 7 days and offered subject to Silversands Professional
> Services Terms and Conditions, a copy of which is available on
request.
> Any pricing information, design information or information concerning
> specific Silversands' staff contained in this email is considered
> confidential or of commercial interest and exempt from the Freedom of
> Information Act 2000.
>
> Any view or opinions presented are solely those of the author and do
> not necessarily represent those of Silversands
>
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
>
>
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual to whom it is addressed.
> If you have received this email in error, or if you believe this email
> is unsolicited and wish to be removed from any future mailings, please
> contact our Support Desk immediately on 01202 360360 or email
> helpdesk@xxxxxxxxxxxxxxxxx
>
> If this email contains a quotation then unless otherwise stated it is
> valid for 7 days and offered subject to Silversands Professional
> Services Terms and Conditions, a copy of which is available on
request.
> Any pricing information, design information or information concerning
> specific Silversands' staff contained in this email is considered
> confidential or of commercial interest and exempt from the Freedom of
> Information Act 2000.
>
> Any view or opinions presented are solely those of the author and do
> not necessarily represent those of Silversands
>
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
>
>
>
>
>
> This email and any files transmitted with it are confidential and
> intended solely for the use of the individual to whom it is addressed.
> If you have received this email in error, or if you believe this email
> is unsolicited and wish to be removed from any future mailings, please
> contact our Support Desk immediately on 01202 360360 or email
> helpdesk@xxxxxxxxxxxxxxxxx
>
> If this email contains a quotation then unless otherwise stated it is
> valid for 7 days and offered subject to Silversands Professional
> Services Terms and Conditions, a copy of which is available on
request.
> Any pricing information, design information or information concerning
> specific Silversands' staff contained in this email is considered
> confidential or of commercial interest and exempt from the Freedom of
> Information Act 2000.
>
> Any view or opinions presented are solely those of the author and do
> not necessarily represent those of Silversands
>
> Silversands Limited, 3 Albany Park, Cabot Lane, Poole, BH17 7BX.
> Company Registration Number : 2141393.
>
Follow-Ups:
- [isapros] Re: SMTP Filter
  - From: Thor (Hammer of God)
References:
- [isapros] SMTP Filter
  - From: Jason Jones
- [isapros] Re: SMTP Filter
  - From: Jim Harrison
- [isapros] Re: SMTP Filter
  - From: Jason Jones
- [isapros] Re: SMTP Filter
  - From: Jim Harrison
- [isapros] Re: SMTP Filter
  - From: Jason Jones
- [isapros] Re: SMTP Filter
  - From: Thor (Hammer of God)
[isapros] Re: SMTP Filter

Other related posts:
